Apple iMessage Security: Can The Government Really Not Access It Or Is It Bull?

Last week, cnet.com reported that the US government's surveillance was being hampered by Apple's iMessage. Today, I see techdirt.com reporting on accusations that this could be the government's attempts to engage in disinformation. Personally, I think this is a case of people seeing a conspiracy where there is none. Why? Because I wasn't under the impression that the government couldn't access iMessage chats after reading Cnet's article.

Not a Secret: iMessages Sync Across Apple iDevices

Techdirt.com thoughtfully summarized Cnet's article:

CNET had a story revealing a "leaked" Drug Enforcement Agency (DEA) memo suggesting that messages sent via Apple's own iMessage system were untappable and were "frustrating" law enforcement.

And followed it by revealing that:

In reading over this, however, a number of people quickly called bullshit. While Apple boasts of "end-to-end encryption" it's pretty clear that Apple itself holds the key -- because if you boot up a brand new iOS device, you automatically get access to your old messages.

That's right. You're able to see your old iMessages in a new device. Indeed, if you have more than one device from Apple, you'll see that the chats are synchronized: you can start an iMessage chat on your iPhone, continue it on your iPad, then check up on it on your iPad mini or iPod Touch, and return to it via your iPhone. This feature, if I'm not wrong, was highlighted in one of Apple's commercials.

Apple's iMessage: Secure from Government Poking? Maybe... But It Isn't Meant to be

Now, the ability to synchronize your iMessages across the board obviously indicates that Apple is able to get to it, and we can infer from this that the government can force the company to hand over the information via a warrant or otherwise.

And yet, it's not unfair to say that government could feel stymied by iMessage, at least for the time being. Consider the following:

iMessage has end-to-end encryption. The celebrated BlackBerry messages also feature end-to-end encryption. The difference between BB and Apple, though, is that BlackBerry (the company) does not know which encryption key is used (the "enduser administrator" sets it). Apple has made no such promises.

iMessage uses TLS. Transport Layer Security is the successor to Secure Sockets Layer (SSL). Easily put, it's the crypto that ensures your online banking sessions are secure, or that your credit card numbers aren't hijacked while you're buying stuff online. This same encryption also secures your iMessages. While researchers are constantly teasing out potential problems (like this one), TLS is powerful crypto be design. You can bet that it's harder than not to crack iMessages.

Apple is not a telco.

That last one probably contributes most to the DEA's problems. As cnet.com's original reporting noted,

telecommunications providers [are required] to build in backdoors for easier surveillance, but [this] does not apply to Internet companies, which are required to provide technical assistance instead.

Think about it: there's no substantial difference between a text message and an iMessage. The major difference is that the former is delivered by a telco and the latter by Apple (well, technically iMessages also go through telcos. After all, they own the fiber that allows intercontinental communications possible. But the encryption for iMessages is handled by Apple, making the presence of telcos in the mix a moot point).

They're Just Like Us (But with Guns)

When you consider how much information flows in, out, and within the US, you can bet the government's surveillance operations are automated as much as possible, not just in terms of data analysis but also in terms of acquisition. What do you imagine the DEA's complaint would sound like if they had to veer away from their tried and true (and, in their minds, easy) way of monitoring communications? They'd probably sound like me when I have to manually fill in my tax forms as opposed to using Turbo Tax. (Impossible! Frustrating! Will be the downfall of civilization as we know it!)

Likewise, let's say you're in "middle management" at the DEA. You find that your agents aren't doing as good a job as they could because they failed to notice the gaps in the "text messages" they acquired from telcos. What do you do? Well, you write a memo and distribute it, with helpful pointers and comments on where the challenges lie.

That's what I see when I read the DEA's leaked memo. I don't particularly think it was written for a notorious or subversive purpose – albeit, it is perhaps worth considering why it was leaked.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.